CVE-2025-67433
Heap Buffer Overflow in Open TFTP Server Causes DoS
Publication date: 2026-02-12
Last updated on: 2026-02-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open_tftp_server_multithreaded | open_tftp_server_multithreaded | 1.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67433 is a critical vulnerability in Open TFTP Server MultiThreaded version 1.7 caused by a heap-based buffer overflow. This occurs in the processRequest function when the server improperly handles large block size (blksize) values during TFTP Write Requests (WRQ).
An attacker can send a WRQ packet with a large blksize (e.g., 60,000 bytes) causing the server to allocate a large heap buffer. Then, by sending a crafted DATA packet and a malformed ERROR packet, the server reuses this heap buffer in an unsafe way, copying it into a fixed-size stack buffer without proper length validation. This leads to a stack buffer overflow, overwriting critical stack pointers and CPU registers, which can crash the server or allow remote code execution.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) or potentially execute arbitrary code remotely on the affected server.
- Denial of Service (DoS): The server can crash due to corrupted pointers and memory, making the service unavailable.
- Remote Code Execution (RCE): An attacker may gain control over the server by exploiting the buffer overflow to overwrite return addresses and CPU registers.
These impacts require that the server is configured to allow file write operations and that the attacker can send specially crafted packets to the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or malformed TFTP Write Request (WRQ) packets that negotiate large block sizes (e.g., blksize set to 60,000 bytes) sent to Open TFTP Server MultiThreaded version 1.7.
A practical detection method involves capturing network traffic on UDP port 69 and inspecting WRQ packets for large blksize options.
Suggested commands include using packet capture tools like tcpdump or Wireshark to filter and analyze TFTP traffic:
- tcpdump -i <interface> udp port 69 -w tftp_traffic.pcap
- Then open the capture file in Wireshark and filter for TFTP WRQ packets with large blksize options.
Additionally, you can use custom scripts or tools to detect WRQ packets with unusually large blksize values, which are indicative of attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include disabling file write operations on the Open TFTP Server MultiThreaded 1.7 by setting the 'write' option to 'N' in the OpenTFTPServer.ini configuration file."}, {'type': 'paragraph', 'content': "If write operations are not required, ensure that 'write=Y' is not enabled or is properly commented out to prevent exploitation."}, {'type': 'paragraph', 'content': 'Additionally, restrict or block incoming UDP traffic on port 69 from untrusted networks to reduce exposure.'}, {'type': 'paragraph', 'content': 'Monitor and limit the maximum allowed blksize option to prevent negotiation of large block sizes that trigger the heap buffer overflow.'}, {'type': 'paragraph', 'content': 'Finally, apply any available patches or updates from the vendor addressing this vulnerability once they become available.'}] [1]